You can almost feel it, can't you?

Chat about anything related to Linux Mint
User avatar
jimallyn
Level 18
Level 18
Posts: 8904
Joined: Thu Jun 05, 2014 7:34 pm
Location: Wenatchee, WA USA

Re: You can almost feel it, can't you?

Post by jimallyn » Mon Jun 26, 2017 8:15 pm

Cosmo., if I understand correctly, what you just gave me is the way to demonstrate the problem, and not the way to fix it?
Image

“If the government were coming for your TVs and cars, then you'd be upset. But, as it is, they're only coming for your sons.” - Daniel Berrigan

Cosmo.
Level 23
Level 23
Posts: 17827
Joined: Sat Dec 06, 2014 7:34 am

Re: You can almost feel it, can't you?

Post by Cosmo. » Mon Jun 26, 2017 8:20 pm

Yes and no.

Yes, as my intention with my last advice was to give you an own experience, how easy it gets in 18.2 beta for an attacker.

No, because with the second method you will get exactly the same result as with the sudo passwd command in a usual terminal in a usual session. So the demonstration - if you behave as your own attacker - is also the same fix.

User avatar
MintBean
Level 9
Level 9
Posts: 2967
Joined: Fri Aug 07, 2015 6:54 am
Location: Blighty

Re: You can almost feel it, can't you?

Post by MintBean » Mon Jun 26, 2017 8:24 pm

So you've pointed the issue out to the devs, but they're seemingly carrying on regardless? Or am I misunderstanding?

User avatar
greerd
Level 6
Level 6
Posts: 1053
Joined: Sat Jul 31, 2010 10:58 am
Location: Nova Scotia, Canada

Re: You can almost feel it, can't you?

Post by greerd » Mon Jun 26, 2017 8:26 pm

So would a person be able to su - to achieve root access (without a password)?

Cosmo.
Level 23
Level 23
Posts: 17827
Joined: Sat Dec 06, 2014 7:34 am

Re: You can almost feel it, can't you?

Post by Cosmo. » Mon Jun 26, 2017 8:30 pm

MintBean wrote:So you've pointed the issue out to the devs, but they're seemingly carrying on regardless? Or am I misunderstanding?
No, unluckily you did understood correct.
Last edited by Cosmo. on Mon Jun 26, 2017 8:41 pm, edited 1 time in total.

Cosmo.
Level 23
Level 23
Posts: 17827
Joined: Sat Dec 06, 2014 7:34 am

Re: You can almost feel it, can't you?

Post by Cosmo. » Mon Jun 26, 2017 8:32 pm

greerd wrote:So would a person be able to su - to achieve root access (without a password)?
No. Without a root password you cannot su to root. The problem does not apply in the usually running system, but only in the recovery console. See my description for jimallyn for the how to.

User avatar
MintBean
Level 9
Level 9
Posts: 2967
Joined: Fri Aug 07, 2015 6:54 am
Location: Blighty

Re: You can almost feel it, can't you?

Post by MintBean » Mon Jun 26, 2017 8:58 pm

Cosmo. wrote:
MintBean wrote:So you've pointed the issue out to the devs, but they're seemingly carrying on regardless? Or am I misunderstanding?
No, unluckily you did understood correct.
This is a shame. Mint is often slated (unfairly, in my opinion) as being insecure by a small hardcore who shout pretty loud. If 18.2 releases with this vulnerability they're going to have a field day and it will be pretty tough to argue against them.

User avatar
jameskga
Level 3
Level 3
Posts: 195
Joined: Sat Jun 04, 2016 8:23 pm

Re: You can almost feel it, can't you?

Post by jameskga » Mon Jun 26, 2017 9:56 pm

This is a fascinating discussion, and I'd love to hear a response to Cosmo.'s concerns from someone closer to the development team. Nice work, jimallyn and Cosmo. Good questions, MintBean

Could it be that this security hole was created and introduced for beta testing purposes? So that if you mess something up, you can easily assume control of the OS?
LMDE 3 Cinnamon (64-bit)
I am out there

all41
Level 14
Level 14
Posts: 5371
Joined: Tue Dec 31, 2013 9:12 am
Location: Computer, Car, Cage

Re: You can almost feel it, can't you?

Post by all41 » Mon Jun 26, 2017 11:34 pm

No. Without a root password you cannot su to root
Still confused Cosmo--does this mean we are unable to change (randomized) root password---at all?
btw: your vigilance on this subject is appreciated here

Cosmo.
Level 23
Level 23
Posts: 17827
Joined: Sat Dec 06, 2014 7:34 am

Re: You can almost feel it, can't you?

Post by Cosmo. » Tue Jun 27, 2017 5:54 am

MintBean wrote:Mint is often slated (unfairly, in my opinion) as being insecure by a small hardcore who shout pretty loud. If 18.2 releases with this vulnerability they're going to have a field day and it will be pretty tough to argue against them.
What you most likely mean are criticisms against the update manager. And I agree. Those criticisms where IMO wrong in the past. If I would want to be sarcastic I would say, that the update manager got changes, until the shouters became right. If I try to be not sarcastic I do not find any reasonable argument for the firefox in level 3 setting, which creates a security leak, which was until 18.1 not there and which makes Mint to (one of) the least secure Ubuntu-based distros. (/Sarcasm on: Looking for new features? We have a nice new security leak for you. We provide no reasoning for it, but we have included it. /Sarcasm off) I wrote in details about this terrible bug here.

Cosmo.
Level 23
Level 23
Posts: 17827
Joined: Sat Dec 06, 2014 7:34 am

Re: You can almost feel it, can't you?

Post by Cosmo. » Tue Jun 27, 2017 5:59 am

jameskga wrote:Could it be that this security hole was created and introduced for beta testing purposes? So that if you mess something up, you can easily assume control of the OS?
From the internal discussion I made about the issue I can exclude this. All we have at now is the hope, that the developers acknowledge their mistake and correct it before 18.2 gets final.

Cosmo.
Level 23
Level 23
Posts: 17827
Joined: Sat Dec 06, 2014 7:34 am

Re: You can almost feel it, can't you?

Post by Cosmo. » Tue Jun 27, 2017 6:39 am

all41 wrote:does this mean we are unable to change (randomized) root password---at all?
No, it is possible to change the root password after installing 18.2 beta. Either with this method (usually the most simple and logical method) or with this method (only meaningful to demonstrate, how easy it will be for a local attacker); both methods lead to the same result.

As I already wrote, the possibility to correct the bug afterwards is the only positive, which I can tell at now. But how has a distro to be judged, if the user has to fix a security leak at first after installation? Assume, we would have to do this in the forum after the final 18.2 release: Imagine, how the users (and especially new and unexperienced users) will react! :roll: :twisted: This reminds me somehow to the history to the old Netscape browser: If nobody can beat you, than beat yourself. :mrgreen: (And Netscape dropped in a few years from more than 80 % market share down to invisibility.) Nobody here wants that; I am in the first row to do against this, as far as I am able to do. But such things have happened and they can happen again.

When I reported the issue internally, I demonstrated already in my first message, how a local attack can get executed with 2 lines of commands. In the first reply I got the answer, that this attack method could get reproduced. But with this confirmation the consensus came rapidly to an end (in a discussion with more than a dozen messages) and finally I got the infamous statement to agree to disagree (I changed this statement to disagree to agree). I tried everything, what I can do, to prevent this serious mistake, but if this should make it into the final release, it will be too late.

User avatar
clem
Level 12
Level 12
Posts: 4111
Joined: Wed Nov 15, 2006 8:34 am
Contact:

Re: You can almost feel it, can't you?

Post by clem » Tue Jun 27, 2017 7:39 am

Firefox updates in MintUpdate

The wrong classification was a bug and it was reported on the blog. It was fixed 3 days ago https://github.com/linuxmint/mintupdate ... fc33fefc1d.

The level (3) is correct. Although FF is a single app, if it was to stop working it would be quite a problem for a novice user. For this reason we recommend to apply this update in isolation to the huge amount of level 2 updates being delivered.

As you probably know already, security updates are visible no matter what policy you select.

Root password

In the past we used to assign the password chosen during the installation to both the main user and the root account.

In 18.2 we decided to stop doing that and to revert to what Ubuntu is doing, i.e. not to set a root password at all.

When the release notes were written a mistake was made and the release notes mentioned that root was now given a random password. I can't remember whether Ubiquity (the Ubuntu installer) set a random password years ago, but in any case, that's what we initially thought Ubuntu was doing. Xenopeek within the team flagged that this was not the case and that no random password was made. After checking the code in Ubiquity and the resulting shadows files in Mint 18.2 and Ubuntu 16.04, it was confirmed that no random passwords were assigned and that the root account was simply locked. The release notes which were therefore incorrect were updated.

Here are a couple of facts about root accounts (this is a huge design topic):

- The way Mint 18.2 works in relation to root accounts is EXACTLY the same as in Ubuntu 16.04 (i.e. a locked root account)
- No random password is assigned to the root account
- You can access the root account via "sudo -i" or "sudo su -"
- Once in the root account, you can give root a password with "passwd"

Among the reasons for this change in Mint 18.2:

- The decision to align ourselves and do more and more things exactly like Ubuntu, especially in areas which didn't matter most to us (for different reasons... first because it wasn't properly documented that this behaviour was different in Linux Mint and thus therefore many newcomers coming from Ubuntu wrongly assumed Mint worked the same way, and second, I hate to say that, but because we've seen Canonical employees resort to defamation and promote Ubuntu by spreading FUD on Linux Mint. Although these are easy to debunk when the change or difference is worth debating, it's also very easy for us to simply align ourselves when this isn't the case. Typically here, we don't believe it is important for the root account to be operation graphically out of the box, so we're happy to align ourselves.).

- The fact that it wasn't mentioned anywhere in the installer that there was a root account and that the password set was assigned to this account. From a security point of view, this in my opinion is something we had to tighten. If Joe user chose "password" as his installation password, and later read somewhere on the Internet that this wasn't a very good idea in case his computer got stolen.. he would then go on and secure his password, but because he was never explicitly told about the root account, he would probably forget to also secure the root password. If no root password was ever set, and he had been the one to do so himself, then we could assume the responsibility falls onto him a little more and expect him to remember the presence of that root account and the need for its password to also be secured.

Technically that last point is important, and strategically the first point is also important in my opinion. There have been many debates over the years, primarily between Ubuntu and other distributions about whether or not sudo itself was an improvement or an issue.. and frankly I really don't want to get into that. The decision for this change isn't primarily related to remote attacks and the mere fact that a remote attacker will "know" there is is "root" account, but won't necessarily know your own username. It isn't primarily related to local attacks either... if you have local access to the machine and the BIOS isn't secured, you don't need the root password to access everything, without encryption you can boot a live media and get all perms.. so it REALLY doesn't matter whether there is one set or not in the scope of the recovery console. In the end it boils down to these two things above... first... we're doing something which isn't explicit, second we're doing something which deviates from Ubuntu, a competitor of ours which is going through very difficult and unpopular design decisions and which is currently promoting itself as being more secure than us. We need to tighten things here, and that's what we did.
All we have at now is the hope, that the developers acknowledge their mistake and correct it before 18.2 gets final.
Well as you can see, the change in relation to the root account is welcome. Mint now works like Ubuntu in relation to this, this eliminates wrong assumptions for newcomers and the presence of a password they weren't necessarily aware of.

As for the Update Manager, I can't remember who flagged the issue. If it was you Cosmo, then thank you. It was fixed 3 days ago, so from mintupdate 5.2.8 both thunderbird and firefox updates are flagged as security updates. Unless you block them yourself or fine tune your settings not to see security updates, they'll always show up no matter what policy you're using.
Image

User avatar
clem
Level 12
Level 12
Posts: 4111
Joined: Wed Nov 15, 2006 8:34 am
Contact:

Re: You can almost feel it, can't you?

Post by clem » Tue Jun 27, 2017 7:44 am

Regarding the initial topic... you know we don't give ETAs.. but we're getting very close.
Image

User avatar
clem
Level 12
Level 12
Posts: 4111
Joined: Wed Nov 15, 2006 8:34 am
Contact:

Re: You can almost feel it, can't you?

Post by clem » Tue Jun 27, 2017 7:52 am

To vulgarize to the extreme on the root password situation:

Setting a root password without explicitly telling the user could be considered a security flaw (because as I explained, that user could change his compromised or unsecure password in the future and not know that he also needs to change the root password). If you consider this to be an issue, then it was "fixed" in 18.2.

Without a root password set, the recovery console accessible from grub gives any local user root access. This can also be considered a security flaw.... but there are a few things at play here:

- For most people (without encryption, or BIOS passwords, or secure physical access), you can boot a live medium or mess with grub anyway... so you can get access to root locally, whether or not a password is set.
- This is the way Ubuntu works and has always worked. You can argue the pros and cons if you want, but you're not looking at a bug here, you're looking at design choices.

If you're interested in debating this, please refer to upstream discussions. They obviously have already occurred, here's one: https://ubuntuforums.org/showthread.php?t=1835593.
Image

all41
Level 14
Level 14
Posts: 5371
Joined: Tue Dec 31, 2013 9:12 am
Location: Computer, Car, Cage

Re: You can almost feel it, can't you?

Post by all41 » Tue Jun 27, 2017 10:14 am

@clem
Thank you for clarifications

User avatar
MintBean
Level 9
Level 9
Posts: 2967
Joined: Fri Aug 07, 2015 6:54 am
Location: Blighty

Re: You can almost feel it, can't you?

Post by MintBean » Tue Jun 27, 2017 10:17 am

Yep, thanks Clem for chiming in and also the mod who (presumably) took the time to draw his attention to this topic.

Cosmo.
Level 23
Level 23
Posts: 17827
Joined: Sat Dec 06, 2014 7:34 am

Re: You can almost feel it, can't you?

Post by Cosmo. » Tue Jun 27, 2017 11:52 am

Hi Clem, at first tank you for replying.

I will respond in this post at the first topic you mentioned: Firefox. A second reply regarding the password will follow during this day.
clem wrote:The level (3) is correct. Although FF is a single app, if it was to stop working it would be quite a problem for a novice user. For this reason we recommend to apply this update in isolation to the huge amount of level 2 updates being delivered.
I disagree completely. I use Firefox since countless years and did not see any breakage because of an update. If it goes about Mint or Cinnamon or ... or ..., my light is surely so tiny against yours, that it would appear as a small asteroid beside a giant star (like Rigel) - practically invisible. But since I am in the Forum, now 2.5 years, I belong to those regular helpers, who deal nearly daily with complaints and user support requests regarding Firefox. Nobody writes more advices about Firefox than I do. So I "see" countless Firefox problems. I assume, that you do not have the time to read the Forum daily, and so you cannot see yourself my activity, but you do not have to trust me, ask xenopeek or whomever you want, what I do here and they will confirm this. So regarding Firefox we speak at the same level.

From this experience I tell you, with all respect and with all politeness, which my parents taught me in the middle of the last century: Sir, you are wrong. I ask you with all respect and politeness: Where do you take this statement from?

If a user gets a Firefox problem, it is near to always a problem with the FF-profile, in some cases a problem with the user account. Those problems can and do arise also, if there is no update in game.

Further more in very most in cases Firefox-problems it is extremely seldom, that the browser does not work at all. Usually there are other problems, like a problem with Flash or the browser does not behave, as the user expects it. So "stop working" (your words) is - although theoretically possible - merely a hypothetical assumption. For this hypothetical assumption you give the users the risk, that they - possibly for a longer time - browse the web with a vulnerable and in principle fixable Firefox. This is a security leak! Or would you seriously recommend a user, who thinks, that he still needs support for NPAPI plugins (e. g. Java, we had this case just in the last 2 days), OK. continue with your old version and don't care about the dozens of documented security leaks? Sir, I cannot imagine, that you would tell this. We do in the forum our best, to show the users, what has happened and how they can solve the issue. (In the just mentioned case I gave yesterday the user 2 possible solutions: Either use for the next 12 months the Firefox ESR version or give the mail-provider (who caused the trouble) a step into the rear. The user replied today, that he decided for the second advise.)

I ask you further: What arguments do you have, that you qualify Firefox as the only browser as level 3 update, whereas Chromium is set by you as level 1 and all other browsers are at level 2. I don't care, that Chromium is level 1, but I would like to hear anyway, which arguments you have for that, because it could help me to understand your judgment about the leveling.

Reading between the lines I can only assume, that you did this, because Firefox is the pre-installed browser in Mint. But even in the worst - as said, merely hypothetical - case, the user has still a number of options: He can install another browser or he can launch the live system to ask for help.

The other alternative would be, to apply no updates at all. What does not get updated, does not get changed. You self wrote some time back, that this is not a real option. And it will not help, if the FF-profile gets broken - as said, the far most culprit for problems, completely independent from any update. The risk, you are trying to protect the user against, can happen on every day and it does happen nearly daily.

Besides that: You have set Thunderbird as level 1. Fact is, that in the hypothetical case, that Firefox should get broken completely, the user can install another browser with a few clicks, then come here and ask for help. If Thunderbird should break, the user will possibly have no choice - at sure not, if he is unexperienced - to use their mails; they will not even be able to read their mails. But for some users their mails might be a very critical part of their daily usage, not being able to reach them might lead them into a disaster. If the user has a POP3 account, there is not even the possibility to use the webmail interface in the browser, to get their old mails back. - No I don't argue for down-leveling TB; this is for demonstrating, that your arguing does not really convince.
clem wrote:As you probably know already, security updates are visible no matter what policy you select.
Yes, I know this. And I am quite sure, that you also know, that with policy 1 the user gets not the slightest hint, if a Firefox update is available, but no level 1 or 2 update at that time. I have reported this already 6 hours ago. The user will see the green check mark in the tray in this case and has no reason (and as a novice user also not the experience) to open the update manager GUI at all; he will no see the available update, possibly for some days. But he is now vulnerable, possibly (depending from the fixed security leak) very seriously. The culprit for this open attack vector this the - I repeat - wrong level for Firefox.
clem wrote:As for the Update Manager, I can't remember who flagged the issue. If it was you Cosmo, then thank you. It was fixed 3 days ago, so from mintupdate 5.2.8 both thunderbird and firefox updates are flagged as security updates. Unless you block them yourself or fine tune your settings not to see security updates, they'll always show up no matter what policy you're using.
Yes, this issue has been opened by me. (GitHub does not allow a dot in the nick and Cosmo was already in use, when I registered there, so I searched for a nick, which is as near as possible to my forum's nick. With other words: I am Cos-mo.)

As you can see, I had opened the issue because of the wrong Firefox level, and this is not solved at all. And as I told you above and in my last GH comment a Firefox update will in described circumstances not get visible for the user (policy 1) for several days at all. This is an unavoidable consequence of the wrong level. Firefox needs to get leveled as 1 or 2 (I don't care which of both).

If we assume - and obviously you do this - that the level system has a practical consequence, if and what the users do update, than it is completely clear, that we will see in the future an increasing number of mostly vulnerable systems. Leaving Firefox in level 3 means, to leave the most vulnerable application for a number of users - namely the not experienced ones - out of a reliable update cycle. This would not be in the responsibility of Mozilla, not in the responsibility of the repo maintainers (although far too often updates reach far too late), but alone to Mint. You complain about FUD and defarmation? (I agree with you in this point.) You are just going to give those people munition to shoot against Mint.

This has nothing to do with the latest fix regarding the security flag. I had in the GH issue added this part, after the first FF update after the release of the beta got available.

User avatar
Pjotr
Level 21
Level 21
Posts: 12650
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: You can almost feel it, can't you?

Post by Pjotr » Tue Jun 27, 2017 12:07 pm

clem wrote:Mint now works like Ubuntu in relation to this, this eliminates wrong assumptions for newcomers and the presence of a password they weren't necessarily aware of.
That's indeed an excellent improvement. Thank you. :)

About Firefox: I understand why Firefox was flagged as level 3. But web browsers are, by far, the most attacked pieces of software of them all.

So even a relatively small delay in updating this high-risk package, can have serious security consequences. No matter whether this delay is intentional (because an inexperienced user is hesitating) or unintentional (because the blue shield of Update Manager didn't appear).

That's why I think the best balance of usability versus security would in this case be, to change the flag of Firefox into level 2 or even 1....
Tip: 10 things to do after installing Linux Mint 19.1 Tessa
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

User avatar
clem
Level 12
Level 12
Posts: 4111
Joined: Wed Nov 15, 2006 8:34 am
Contact:

Re: You can almost feel it, can't you?

Post by clem » Tue Jun 27, 2017 12:17 pm

I think your issue is that you're still thinking in terms of how mintupdate used to work, and not in the way it works nowadays.

Emphasis was put on applying recommended updates, and all security updates are recommended. Emphasis was also put on doing so in isolation and with care.

I think you might have found another issue though*. The issue isn't with Firefox being a level 3, it should be a level 3, the issue is with the status icon not counting all updates.

Ideally everyone should update all levels, with more and more care and isolation as the level is high.

* We'll get that fixed as well.
Image

Post Reply

Return to “Chat about Linux Mint”